From 43a97878ce14b72f0981164f87f2e35e14151312 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 11:22:09 +0200
Subject: Adding upstream version 110.0.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../tests/fetch/orb/resources/data.json            |   3 +
 .../tests/fetch/orb/resources/font.ttf             | Bin 0 -> 2528 bytes
 .../tests/fetch/orb/resources/image.png            | Bin 0 -> 1010 bytes
 .../tests/fetch/orb/resources/js-unlabeled.js      |   1 +
 .../fetch/orb/resources/png-mislabeled-as-html.png | Bin 0 -> 1010 bytes
 .../resources/png-mislabeled-as-html.png.headers   |   1 +
 .../tests/fetch/orb/resources/png-unlabeled.png    | Bin 0 -> 1010 bytes
 .../tests/fetch/orb/resources/script.js            |   4 +
 .../tests/fetch/orb/resources/sound.mp3            | Bin 0 -> 539 bytes
 .../tests/fetch/orb/resources/text.txt             |   1 +
 .../tests/fetch/orb/resources/utils.js             |  18 +++
 .../tentative/compressed-image-sniffing.sub.html   |  20 ++++
 .../fetch/orb/tentative/content-range.sub.any.js   |  31 +++++
 .../img-mime-types-coverage.tentative.sub.html     | 126 +++++++++++++++++++++
 .../img-png-mislabeled-as-html.sub-ref.html        |   5 +
 .../tentative/img-png-mislabeled-as-html.sub.html  |   7 ++
 .../orb/tentative/img-png-unlabeled.sub-ref.html   |   5 +
 .../fetch/orb/tentative/img-png-unlabeled.sub.html |   7 ++
 .../fetch/orb/tentative/known-mime-type.sub.any.js |  41 +++++++
 .../tests/fetch/orb/tentative/nosniff.sub.any.js   |  59 ++++++++++
 .../tentative/script-js-unlabeled-gziped.sub.html  |  24 ++++
 .../fetch/orb/tentative/script-unlabeled.sub.html  |  24 ++++
 .../tests/fetch/orb/tentative/status.sub.any.js    |  33 ++++++
 .../tests/fetch/orb/tentative/status.sub.html      |  17 +++
 .../orb/tentative/unknown-mime-type.sub.any.js     |  28 +++++
 25 files changed, 455 insertions(+)
 create mode 100644 testing/web-platform/tests/fetch/orb/resources/data.json
 create mode 100644 testing/web-platform/tests/fetch/orb/resources/font.ttf
 create mode 100644 testing/web-platform/tests/fetch/orb/resources/image.png
 create mode 100644 testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js
 create mode 100644 testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png
 create mode 100644 testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers
 create mode 100644 testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png
 create mode 100644 testing/web-platform/tests/fetch/orb/resources/script.js
 create mode 100644 testing/web-platform/tests/fetch/orb/resources/sound.mp3
 create mode 100644 testing/web-platform/tests/fetch/orb/resources/text.txt
 create mode 100644 testing/web-platform/tests/fetch/orb/resources/utils.js
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/status.sub.html
 create mode 100644 testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js

(limited to 'testing/web-platform/tests/fetch/orb')

diff --git a/testing/web-platform/tests/fetch/orb/resources/data.json b/testing/web-platform/tests/fetch/orb/resources/data.json
new file mode 100644
index 0000000000..f2a886f39d
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/data.json
@@ -0,0 +1,3 @@
+{
+  "hello": "world"
+}
diff --git a/testing/web-platform/tests/fetch/orb/resources/font.ttf b/testing/web-platform/tests/fetch/orb/resources/font.ttf
new file mode 100644
index 0000000000..9023592ef5
Binary files /dev/null and b/testing/web-platform/tests/fetch/orb/resources/font.ttf differ
diff --git a/testing/web-platform/tests/fetch/orb/resources/image.png b/testing/web-platform/tests/fetch/orb/resources/image.png
new file mode 100644
index 0000000000..820f8cace2
Binary files /dev/null and b/testing/web-platform/tests/fetch/orb/resources/image.png differ
diff --git a/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js
new file mode 100644
index 0000000000..a880a5bc72
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js
@@ -0,0 +1 @@
+window.has_executed_script = true;
diff --git a/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png
new file mode 100644
index 0000000000..820f8cace2
Binary files /dev/null and b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png differ
diff --git a/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers
new file mode 100644
index 0000000000..156209f9c8
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers
@@ -0,0 +1 @@
+Content-Type: text/html
diff --git a/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png b/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png
new file mode 100644
index 0000000000..820f8cace2
Binary files /dev/null and b/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png differ
diff --git a/testing/web-platform/tests/fetch/orb/resources/script.js b/testing/web-platform/tests/fetch/orb/resources/script.js
new file mode 100644
index 0000000000..19675d25d8
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/script.js
@@ -0,0 +1,4 @@
+"use strict";
+function fn() {
+  return 42;
+}
diff --git a/testing/web-platform/tests/fetch/orb/resources/sound.mp3 b/testing/web-platform/tests/fetch/orb/resources/sound.mp3
new file mode 100644
index 0000000000..a15d1de328
Binary files /dev/null and b/testing/web-platform/tests/fetch/orb/resources/sound.mp3 differ
diff --git a/testing/web-platform/tests/fetch/orb/resources/text.txt b/testing/web-platform/tests/fetch/orb/resources/text.txt
new file mode 100644
index 0000000000..270c611ee7
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/text.txt
@@ -0,0 +1 @@
+hello, world!
diff --git a/testing/web-platform/tests/fetch/orb/resources/utils.js b/testing/web-platform/tests/fetch/orb/resources/utils.js
new file mode 100644
index 0000000000..94a2177f07
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/utils.js
@@ -0,0 +1,18 @@
+function header(name, value) {
+  return `header(${name},${value})`;
+}
+
+function contentType(type) {
+  return header("Content-Type", type);
+}
+
+function contentTypeOptions(type) {
+  return header("X-Content-Type-Options", type);
+}
+
+function fetchORB(file, options, ...pipe) {
+  return fetch(`${file}${pipe.length ? `?pipe=${pipe.join("|")}` : ""}`, {
+    ...(options || {}),
+    mode: "no-cors",
+  });
+}
diff --git a/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html b/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html
new file mode 100644
index 0000000000..38e70c69ad
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html
@@ -0,0 +1,20 @@
+<!-- Test verifies that compressed images should not be blocked
+-->
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+async_test(function(t) {
+  let url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+  url = url + "/fetch/orb/resources/png-unlabeled.png?pipe=gzip"
+
+  const img = document.createElement("img");
+  img.src = url;
+  img.onerror = t.unreached_func("Unexpected error event")
+  img.onload = t.step_func_done(function () {
+    assert_true(true);
+  })
+  document.body.appendChild(img)
+}, "ORB shouldn't block compressed images");
+</script>
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js
new file mode 100644
index 0000000000..ee97521a55
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js
@@ -0,0 +1,31 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const url =
+  "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/image.png";
+
+promise_test(async () => {
+  let headers = new Headers([["Range", "bytes=0-99"]]);
+  await fetchORB(
+    url,
+    { headers },
+    header("Content-Range", "bytes 0-99/1010"),
+    "slice(null,100)",
+    "status(206)"
+  );
+}, "ORB shouldn't block opaque range of image/png starting at zero");
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(
+        url,
+        { headers: new Headers([["Range", "bytes 10-99"]]) },
+        header("Content-Range", "bytes 10-99/1010"),
+        "slice(10,100)",
+        "status(206)"
+      )
+    ),
+  "ORB should block opaque range of image/png not starting at zero, that isn't subsequent"
+);
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
new file mode 100644
index 0000000000..5dc6c5d63a
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
@@ -0,0 +1,126 @@
+<!-- Test verifies that cross-origin, nosniff images are 1) blocked when their
+  MIME type is covered by ORB and 2) allowed otherwise.
+
+  This test is very similar to fetch/orb/img-mime-types-coverage.tentative.sub.html,
+  except that it focuses on MIME types relevant to ORB.
+-->
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+  var passes = [
+    // ORB safelisted MIME-types - i.e. ones covered by:
+    // - https://github.com/annevk/orb
+
+    "text/css",
+    "image/svg+xml",
+
+    // JavaScript MIME types
+    "application/ecmascript",
+    "application/javascript",
+    "application/x-ecmascript",
+    "application/x-javascript",
+    "text/ecmascript",
+    "text/javascript",
+    "text/javascript1.0",
+    "text/javascript1.1",
+    "text/javascript1.2",
+    "text/javascript1.3",
+    "text/javascript1.4",
+    "text/javascript1.5",
+    "text/jscript",
+    "text/livescript",
+    "text/x-ecmascript",
+    "text/x-javascript",
+  ]
+
+  var fails = [
+    // ORB blocklisted MIME-types - i.e. ones covered by:
+    // - https://github.com/annevk/orb
+
+    "text/html",
+
+    // JSON MIME type
+    "application/json",
+    "text/json",
+    "application/ld+json",
+
+    // XML MIME type
+    "text/xml",
+    "application/xml",
+    "application/xhtml+xml",
+
+    "application/dash+xml",
+    "application/gzip",
+    "application/msexcel",
+    "application/mspowerpoint",
+    "application/msword",
+    "application/msword-template",
+    "application/pdf",
+    "application/vnd.apple.mpegurl",
+    "application/vnd.ces-quickpoint",
+    "application/vnd.ces-quicksheet",
+    "application/vnd.ces-quickword",
+    "application/vnd.ms-excel",
+    "application/vnd.ms-excel.sheet.macroenabled.12",
+    "application/vnd.ms-powerpoint",
+    "application/vnd.ms-powerpoint.presentation.macroenabled.12",
+    "application/vnd.ms-word",
+    "application/vnd.ms-word.document.12",
+    "application/vnd.ms-word.document.macroenabled.12",
+    "application/vnd.msword",
+    "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+    "application/vnd.openxmlformats-officedocument.presentationml.template",
+    "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+    "application/vnd.openxmlformats-officedocument.spreadsheetml.template",
+    "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+    "application/vnd.openxmlformats-officedocument.wordprocessingml.template",
+    "application/vnd.presentation-openxml",
+    "application/vnd.presentation-openxmlm",
+    "application/vnd.spreadsheet-openxml",
+    "application/vnd.wordprocessing-openxml",
+    "application/x-gzip",
+    "application/x-protobuf",
+    "application/x-protobuffer",
+    "application/zip",
+    "audio/mpegurl",
+    "multipart/byteranges",
+    "multipart/signed",
+    "text/event-stream",
+    "text/csv",
+    "text/vtt",
+]
+
+  const get_url = (mime) => {
+    // www1 is cross-origin, so the HTTP response is ORB-eligible -->
+    url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+    url = url + "/fetch/nosniff/resources/image.py"
+    if (mime != null) {
+      url += "?type=" + encodeURIComponent(mime)
+    }
+    return url
+  }
+
+  passes.forEach(function (mime) {
+    async_test(function (t) {
+      var img = document.createElement("img")
+      img.onerror = t.unreached_func("Unexpected error event")
+      img.onload = t.step_func_done(function () {
+        assert_equals(img.width, 96)
+      })
+      img.src = get_url(mime)
+      document.body.appendChild(img)
+    }, "ORB should allow the response if Content-Type is: '" + mime + "'.  ")
+  })
+
+  fails.forEach(function (mime) {
+    async_test(function (t) {
+      var img = document.createElement("img")
+      img.onerror = t.step_func_done()
+      img.onload = t.unreached_func("Unexpected load event")
+      img.src = get_url(mime)
+      document.body.appendChild(img)
+    }, "ORB should block the response if Content-Type is: '" + mime + "'.  ")
+  })
+</script>
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html
new file mode 100644
index 0000000000..66462fb5e3
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<!-- Same-origin, so the HTTP response is not ORB-eligible. -->
+<img src="../resources/png-mislabeled-as-html.png">
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html
new file mode 100644
index 0000000000..aa03f4db63
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<!-- Test verifies that ORB allows an mislabeled cross-origin image after sniffing. -->
+<meta charset="utf-8">
+<!-- Reference page uses same-origin resources, which are not ORB-eligible. -->
+<link rel="match" href="img-png-mislabeled-as-html.sub-ref.html">
+<!-- www1 is cross-origin, so the HTTP response is ORB-eligible -->
+<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-mislabeled-as-html.png">
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html
new file mode 100644
index 0000000000..2d5e3bb8b5
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<!-- Same-origin, so the HTTP response is not ORB-eligible. -->
+<img src="../resources/png-unlabeled.png">
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html
new file mode 100644
index 0000000000..77415f6af1
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<!-- Test verifies that ORB allows an unlabeled cross-origin image after sniffing. -->
+<meta charset="utf-8">
+<!-- Reference page uses same-origin resources, which are not ORB-eligible. -->
+<link rel="match" href="img-png-unlabeled.sub-ref.html">
+<!-- www1 is cross-origin, so the HTTP response is ORB-eligible -->
+<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-unlabeled.png">
diff --git a/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js
new file mode 100644
index 0000000000..a7bb663058
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js
@@ -0,0 +1,41 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(`${path}/font.ttf`, null, contentType("font/ttf"))
+    ),
+  "ORB should block opaque font/ttf"
+);
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(`${path}/text.txt`, null, contentType("text/plain"))
+    ),
+  "ORB should block opaque text/plain"
+);
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(`${path}/data.json`, null, contentType("application/json"))
+    ),
+  "ORB should block opaque application/json"
+);
+
+promise_test(async () => {
+  fetchORB(`${path}/image.png`, null, contentType("image/png"));
+}, "ORB shouldn't block opaque image/png");
+
+promise_test(async () => {
+  await fetchORB(`${path}/script.js`, null, contentType("text/javascript"));
+}, "ORB shouldn't block opaque text/javascript");
diff --git a/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js
new file mode 100644
index 0000000000..3df9d22e0b
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js
@@ -0,0 +1,59 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(
+        `${path}/text.txt`,
+        null,
+        contentType("text/plain"),
+        contentTypeOptions("nosniff")
+      )
+    ),
+  "ORB should block opaque text/plain with nosniff"
+);
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(
+        `${path}/data.json`,
+        null,
+        contentType("application/json"),
+        contentTypeOptions("nosniff")
+      )
+    ),
+  "ORB should block opaque-response-blocklisted MIME type with nosniff"
+);
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(
+        `${path}/data.json`,
+        null,
+        contentType(""),
+        contentTypeOptions("nosniff")
+      )
+    ),
+  "ORB should block opaque response with empty Content-Type and nosniff"
+);
+
+promise_test(
+  () =>
+    fetchORB(
+      `${path}/image.png`,
+      null,
+      contentType(""),
+      contentTypeOptions("nosniff")
+    ),
+  "ORB shouldn't block opaque image with empty Content-Type and nosniff"
+);
diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html
new file mode 100644
index 0000000000..fe85440798
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<!-- Test verifies that gziped script which parses as Javascript (not JSON) without Content-Type will execute with ORB. -->
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+
+<script>
+setup({ single_test: true });
+window.has_executed_script = false;
+</script>
+
+<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
+<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js?pipe=gzip|header(Content-Type,)">
+</script>
+
+<script>
+// Verify what observable effects the <script> tag above had.
+// Assertion should hold with and without ORB:
+assert_true(window.has_executed_script,
+            'The cross-origin script should execute');
+done();
+</script>
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html
new file mode 100644
index 0000000000..4987f1307e
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<!-- Test verifies that script which parses as Javascript (not JSON) without Content-Type will execute with ORB. -->
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+
+<script>
+setup({ single_test: true });
+window.has_executed_script = false;
+</script>
+
+<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
+<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js">
+</script>
+
+<script>
+// Verify what observable effects the <script> tag above had.
+// Assertion should hold with and without ORB:
+assert_true(window.has_executed_script,
+            'The cross-origin script should execute');
+done();
+</script>
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js
new file mode 100644
index 0000000000..b94d8b7f63
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js
@@ -0,0 +1,33 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(
+        `${path}/data.json`,
+        null,
+        contentType("application/json"),
+        "status(206)"
+      )
+    ),
+  "ORB should block opaque-response-blocklisted MIME type with status 206"
+);
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(
+        `${path}/data.json`,
+        null,
+        contentType("application/json"),
+        "status(302)"
+      )
+    ),
+  "ORB should block opaque response with non-ok status"
+);
diff --git a/testing/web-platform/tests/fetch/orb/tentative/status.sub.html b/testing/web-platform/tests/fetch/orb/tentative/status.sub.html
new file mode 100644
index 0000000000..a62bdeb35e
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/status.sub.html
@@ -0,0 +1,17 @@
+'use strict';
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+async_test(function(t) {
+  let url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+  url = `${url}/fetch/orb/resources/sound.mp3?pipe=status(301)|header(Content-Type,)`
+
+  const video = document.createElement("video");
+  video.src = url;
+  video.onerror = t.step_func_done();
+  video.onload = t.unreached_func("Unexpected error event");
+  document.body.appendChild(video);
+}, "ORB should block initial media requests with status not 200 or 206");
+</script>
diff --git a/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js
new file mode 100644
index 0000000000..f72ff928ad
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js
@@ -0,0 +1,28 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+promise_test(
+  () => fetchORB(`${path}/font.ttf`, null, contentType("")),
+  "ORB shouldn't block opaque failed missing MIME type (font/ttf)"
+);
+
+promise_test(
+  () => fetchORB(`${path}/text.txt`, null, contentType("")),
+  "ORB shouldn't block opaque failed missing MIME type (text/plain)"
+);
+
+promise_test(
+  t => fetchORB(`${path}/data.json`, null, contentType("")),
+  "ORB shouldn't block opaque failed missing MIME type (application/json)"
+);
+
+promise_test(
+  () => fetchORB(`${path}/image.png`, null, contentType("")),
+  "ORB shouldn't block opaque failed missing MIME type (image/png)"
+);
+
+promise_test(
+  () => fetchORB(`${path}/script.js`, null, contentType("")),
+  "ORB shouldn't block opaque failed missing MIME type (text/javascript)"
+);
-- 
cgit v1.2.3